Re: benchmarking mod_gnutls vs mod_ssl

From:

Simon Josefsson

Subject:

Re: benchmarking mod_gnutls vs mod_ssl

Date:

Mon, 10 Mar 2008 12:45:01 +0100

User-agent:

Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux)

Sam Varshavchik <address@hidden> writes:
> Simon Josefsson writes:
>
>> "Paul Querna" <address@hidden> writes:
>>
>>>> One interesting behaviour I noticed when running the tests was that with
>>>> mod_ssl, the exchanged TCP packets as seen in wireshark were:
>>>>
>>>> -> client hello
>>>> <- server hello, certificate, server key exchange, server hello done
>>>> -> client key exchange, change cipher spec, encrypted handshake message
>>>> <- change cipher spec, encrypted handshake message
>>>> ...
>>>>
>>>> but with gnutls we have:
>>>>
>>>> -> client hello
>>>> <- server hello
>>>> <- certificate
>>>> <- server key exchange
>>>> <- server hello done
>>>> ->client key exchange, change cipher spec, encrypted handshake message
>>>> <- change cipher spec
>>>> <- encrypted handshake message
>>>>
>>>> In other words, gnutls sends each TLS packet in a separate TCP packet.
>>>> This may have some impact on performance, but it is too early to tell
>>>> for sure.
>>>
>>> This might be a bug in mod_gnutls -- we might want to add some smarter
>>> buffering / picking when we do a flush(). Right now I believe we try to
>>> flush every time gnutls says there is data to send.
>>
>> Hm, yes, perhaps mod_gnutls could do some buffering. Or gnutls could do
>> it internally.
>>
>>> It also would be nice if the gnutls API had a better way to say "flush",
>>> rather than just "here is data", although the current API is simple :-)
>>
>> Aren't there options in the kernel TCP interface to delay sending
>> packets for some time, to wait for more data that could also be sent in
>> the same packet? I have some vague memory about this.
>
> Yes, TCP_CORK via setsockopt. It's Linux specific.
Thanks for the pointer. I've read some documentation about it at:
http://linux.die.net/man/7/tcphttp://articles.techrepublic.com.com/5100-22-1050878.html
However, I'm not convinced it is a good idea for mod_gnutls to always
use it. The first article suggests it may introduce a 200ms delay when
collecting data, which could hurt benchmarking. Maybe we could try just
as an experiment to see if we get different results.
/Simon